Apple Allegedly Dropped Full iCloud Backup Encryption under FBI Pressure
One downside of iCloud Backup for those who are interested in privacy is that, unlike with the Mac’s FileVault data encryption, Apple provides no option to store the encryption key yourself. Instead, Apple always holds that encryption key, thus giving the company access to everything in your backup. Some similar services—including Backblaze, iDrive Online Backup, SOS Online Backup, and Zoolz Home—allow you to create and store a personal encryption key, ensuring that you and only you can ever read those backups. Lose that key and the data is gone forever, with no recovery option.
Reuters is reporting that Apple made the decision not to let users create and store personal encryption keys for iCloud Backup under pressure from the US Federal Bureau of Investigation. Apple’s privacy stance has caused it to clash with the FBI in recent years, first over Apple’s inability to decrypt the San Bernardino shooter’s iPhone (see “Thoughts on Tim Cook’s Open Letter Criticizing Backdoors,” 17 February 2016), and most recently over the Pensacola naval base shooting (see “Is the FBI Gearing Up for Another Encryption Fight with Apple?,” 9 January 2020).
Although Apple has used these public spats to bolster its privacy cred, Reuters sources say the company contacted the FBI before moving forward with allowing users to hold their own iCloud Backup encryption keys. The FBI objected, and Apple decided to drop the feature because it “did not want to risk being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.” Reuters’s sources are anonymous but include several current and former Apple and FBI employees.
However, Reuters may not have the whole story. Both our security editor, Rich Mogull, and iMore’s Rene Ritchie have heard that part of the motivation for not offering a personal encryption key is the number of people who lock themselves out of their iCloud accounts. As long as Apple holds those encryption keys, the company can help users get back into their accounts and restore their data.
What can you do to protect your data from being turned over by Apple in response to a court order? You could disable iCloud backups on your iPhone and iPad in Settings > Your Name > iCloud > iCloud Backup and instead perform encrypted backups on your Mac, either in iTunes or in the Finder in macOS 10.15 Catalina. Unfortunately, we’ve found such backups to be somewhat unreliable in recent years. Also, remember that as of iOS 13, you can now transfer apps and settings directly from an old iPhone to a new one, without the intermediary of an iCloud backup.
Regardless, Apple is stuck between a rock and a hard place. The company’s privacy stance dictates that it should allow users to encrypt their iCloud backups such that even it can’t peek into them. Simultaneously, Apple also has to deal with accusations, now from both Democratic and Republican administrations, of protecting criminals. And it must also walk the more prosaic line of trading off a hard-line privacy stance against the very real need to deal with simple human error at a massive scale.
As I was reading this, I thought that iMazing offered the option to encrypt your backups locally, but now that I’ve gone to the website to look for it, I don’t see any mention of it.
Does anyone know if it does? I mean, I suppose you could always say that if your Mac has FileVault then you don’t really need your iMazing backups encrypted but I’d definitely use the option if it was offered.
I wonder how Apple’s usual logic applies here. Leave a back door for the good guys and it’s only a question of time until the bag guys figure out how to exploit it. In other words, while I have no trouble with Apple complying with a court-ordered request for data (assuming a court in a free country with a proper judiciary), how can I just assume Apple will never lose the key to my iCloud backup to a bad actor? Unlikely, sure. But impossible, I highly doubt it.
I feel really good right now about not relying on iCloud backups. All my backups are through iTunes and to my own local encrypted disk.
iMazing does have an option to encrypt backups:
https://imazing.com/guides/backup-options-in-imazing
It can also get data from encrypted backups done by iTunes (if you know the password):
https://imazing.com/guides/how-to-extract-files-and-data-from-an-encrypted-iphone-backup
Because there is no real limit to how many times someone can try to guess the password of an encrypted backup, use a good one.
This is really the key difference between the iCloud and local backups. Even if the backup file isn’t encrypted (and I’m not saying you shouldn’t, I encrypt mine), you can encrypt your local disk and ensure only you have access.
That’s a big assumption. Apple can’t pick and choose which countries it complies with the law in. And even in those countries that we might consider ‘free’ and with a ‘proper judiciary’, the system can and does get abused by security services. I’m not saying that Apple shouldn’t comply with legal requests to the best of its ability, but I would say that the option to maintain control of one’s data should remain with that person.
Ah, very good. I knew it had the former. The latter is certainly interesting too. Will have to check that out.
Definitely a good place to use 1Password or similar to create a very long and random password.
Just remember that an iTunes backup that is not encrypted is missing data that both iCloud and iTunes encrypted backups contain, such as email and other app passwords, Health data, WiFi settings, and website history. Unless you’re forgetful (or don’t store the encryption password in the keychain if you have a Mac, which happens by default), you are far better off with an encrypted backup.
I am not savvy to all the ramifications of this. But I know that my medical institution (who owns my phone) has always disabled cloud back up of the device. As already implied by comments here, the Apple cloud is not HIPAA compliant. I can imagine that this is an area where Apple sorely wanted entry given the massive amount of medical data. If you use your device to collect any health information, you may be surprised how often you have given away your HIPAA rights. So you may want to know - is there any patient information on my device? The answer is yes - but it is only in the email, no texts or other messages, no documents. Two-factor identification is used for all access to the electronic health systems when providers are out of the various buildings.
Apple’s HT202303
https://support.apple.com/en-us/HT202303
Says "For certain sensitive information, Apple uses end-to-end encryption. This means that only you can access your information, and only on devices where you’re signed into iCloud. No one else, not even Apple, can access end-to-end encrypted information.” And that Health data in included in this category.
Is this not as good as it seems?
John Gruber is writing a lot about this at Daring Fireball and it’s all worth reading:
Healthcare providers sharing data with third parties is a related angle to throw into the privacy mix. This story just ran in the WSJ:
And this recently:
https://www.morningstar.com/news/dow-jones/201911118425/googles-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americansupdate
Securely encrypted information can still be shared.
I hope Gruber’s right about E2E encryption coming as a new feature to iCloud Backups in the possibly not too distant future. I’m fine backing up locally through iTunes, but I have a hard time believing Apple is planning on keeping that around long-term.
Hi Tom, the problem is not what you store on your phone, its what your doctor stores in her phone about you. She can’t even have her schedule on it, if it were going to be backed up to the Apple cloud. This is a big pie that won’t have any apples!
Hi MM, Even HIPAA allows for sharing of anonymous data without consent. But I suspect that the health information that is being shared includes location data which means it is not very anonymous. I have read all the EULAs and requested my data from all the health apps on my phone. Each and every one collected location data even though these Apps are not listed under ‘Location Sharing’. And I can think of no reason that they needed to know where I was when I used the App.
Location based pharmaceutical advertising is already huge and still rapidly growing in the consumer, physician and healthcare professional markets:
This is one of those things that’s so obvious it’s stunning that it took even hours for people to contradict the bs story. Of course it’s about data loss.
Yes M - and now you know what all your seat mates on the subway are doing with their phones.
This.
Threat models are important. Most people aren’t targeted as individuals, and the biggest threats to their data are probably ransomware, house fires, thieves, etc. any of which can cause loss of all or most data. In some circumstances that data might be needed in a hurry to recover from whatever disaster caused it be lost. Criminals might also get access to it in general breaches, but for most people that’s a lower level of disaster than a fire. Apple presumably knows exactly the percentage of users locked out from how much data, and I expect it’s not negligible.
Some groups definitely need more protection–journalists, whistle blowers, protesters, government employees. For them, data being accessed by others is a often bigger threat than losing their own access to it. But they (usually?) know that they have a higher risk and do at least some research into how to mitigate it.
For each of the various kinds of data you have (contacts, financial, photos, works in progress, etc), you need to consider:
Unfortunately, getting most people to take the time to think about that, let alone act on it, is really hard. For my users, I’m all for data being easily and automatically backed up and recoverable at the expense of some security, because I’ve seen a few of the disasters when it isn’t recoverable.
At least I won’t sell their data.
Even Jeff Bezos wasn’t safe:
Yeah, if you’re really targeted by a nation state, they’re probably going to get you. But Bezos was extra stupid on several fronts. First to have the affair, then to keep the evidence of it and plenty of other goodies on a single phone, then to give that phone’s number directly to a nation-state and not expect something to go wrong. It’s not like he can’t afford to have several phones and numbers so he compartmentalize a bit. Heck, he could even afford to hire someone to carry them for him and remind him which to use when…
Another post from Gruber:
Personally, I’d like the OPTION. I don’t think this should be automatic for everyone, for the obvious reasons stated, but for those of us who fully understood the ramifications, why not?
‘Fail secure’ is fine for users who know the risks and can mitigate for them (use a pw mgr, being the obvious one; as you can access your pw’s despite losing all your devices on the good ones). For everyone else ‘fail safe’ is likely all they need or want (although it’d be good if more norms made use of a pw mgr, then it’d mitigate the issue for more users).
Where this option is selected and how it’s enabled is likely Apple’s problem here. I’d suggest they’d have to make it known to users fairly well, but at the same time make enabling it a more thorough process, with a big banner saying “WARNING! ENABLING THIS FUNCTION MEANS APPLE CANNOT RECOVER ANY OF YOUR DATA FOR YOU IN FUTURE. USERS ARE ADVISED TO CONTINUE ONLY IF THEY HAVE FULL UNDERSTANDING, AS PER SUPPORT DOC: kb123467” or something similar.
I wonder if instead, they may be thinking beyond this, into non-password related methodologies of user account access, given we know the ongoing issues passwords present.
Eg.
the initial reporting on this story is a decent example of what is wrong with tech reporting in general now-a-days, but the ridiculous re-reporting of it rewritten into scare quotes and clickbait nonsense really does show what is most wrong with the Internet right now.
All it takes is a tiny bit of thought to see this story for what it is, a twist of “probably” into a machine for making as much money of misunderstanding and outright misinformation as possible.
I mean, the real tech press has the story mostly right, but all the supposed news sites? What a bunch of garbage masquerading as journalism.
You have the option right now, and always have. Backup to your Mac and encrypt the backup.
If you want “cloud” backup, copy that backup to your iCloud, Dropbox, OneDrive, etc storage.
I agree with that. When the day comes where I have to back up to iCloud, I’d prefer having to be concerned with how I securely store an absolutely irreplaceable password than having to entrust a corporation I have zero influence over with my private data. For now, no iCloud backups for me.
Has Apple ever stated how long it takes them to completely erase all and any iCloud data it has after a user deselects iCloud backup?
Yes obviously you can manually do this, which many techie’s may consider, but it’s doubtful average people do, or those just either busy or who want their delta multiple-times-per-day incremental iCloud backups e2e encrypted.
Clearly I’m talking about a native iCloud solution, so users don’t have to do that, when a simpler in-built solution is possible.
Also, the point of iCloud backup is that, at least in theory, recovery is a simple process (though we know that often is not the case, unfortunately). For example the simplicity of getting back up and running easily… say you’re out of the country, lose your iPhone, buy a new one, you can set-up straight from iCloud backup, rather than having to have a computer and faff around with a more involved alternative process.
I don’t think that they do delete them, but you can do it yourself. On an iOS device, settings / iCloud / iCloud / Manage Storage / Backups - you can see and delete the backups whenever you wish.
Your are absolutely right of course. I guess my question should be, have they ever stated that when a user requests these backups deleted, they are actually promptly removed from Apple’s storage?
Or could we find out one day that the data could be restored on Apple’s end because it’s only removed from the user’s backup list (and therefore from user access), but Apple actually retains it (or parts of it) for more extended periods of time?
Even if there is no nefarious intent, I would expect some amount of retention. They perform periodic backups of the servers (at least I hope they do). As such, after you delete something, the content probably does exist in recent backups.
So the question then becomes one of how long they retain these backups. We can assume that if backups exist, they will be searched in response to a court order, even if for no other reason.
I’d presume their data-centres ‘mirror’ copies between two or more locations. So if you delete any data from your service, that deletion is mirrored after a short period of time at their other locations.
Thus they very likely do NOT have copies anywhere, within a few hours (and unlikely anyone can stop the mirroring event either; meaning you delete it, it’s gone forever).
Note, of course this doesn’t include the iCloud Drive recently deleted docs function, but anything else like backups it would.